Approach for processing print data using password control data

ABSTRACT

A printing device includes a locked print module that is configured to examine print data received by the printing device and determine whether the print data should be processed as locked print data. If so, then the print data is stored on the printing device and not immediately processed for printing. The locked print module also authenticates a user and allows the user to request printing of the print data. The user is queried for a password and if successfully verified, the locked print module determines a password type of the password associated with the print data and identifies password control data stored on the printing device that corresponds to the password type. The locked print module processes the print data based upon the password control data to generate processed print data and causes the processed print data to be printed at the printing device.

RELATED APPLICATION DATA

This application is related to U.S. patent application Ser. No. 12/059,836 entitled APPROACH FOR PRINTING POLICY-ENABLED ELECTRONIC DOCUMENTS USING LOCKED PRINTING, filed Mar. 31, 2008; U.S. patent application Ser. No. 12/059,986 entitled APPROACH FOR PRINTING POLICY-ENABLED ELECTRONIC DOCUMENTS USING LOCKED PRINTING AND A SHARED MEMORY DATA STRUCTURE, filed Mar. 31, 2008; U.S. patent application Ser. No. 12/166,741 entitled LOCKED PRINT AND DOCUMENT POLICY MANAGEMENT SYSTEM, filed Jul. 2, 2008; U.S. patent application Ser. No. 11/439,796 entitled REMOTE STORED PRINT JOB RETRIEVAL, filed May 23, 2006; U.S. patent application Ser. No. 11/411,248 entitled APPROACH FOR IMPLEMENTING LOCKED PRINTING WITH REMOTE UNLOCK ON PRINTING DEVICES, filed Apr. 25, 2006; U.S. patent application Ser. No. 11/346,479 entitled APPROACH FOR IMPLEMENTING LOCKED PRINTING ON PRINTING DEVICES, filed Feb. 1, 2006; U.S. patent application Ser. No. 11/656,592 entitled FAULT TOLERANT PRINTING SYSTEM, filed Jan. 22, 2007; U.S. patent application Ser. No. 11/788,517 entitled APPROACH FOR IMPLEMENTING LOCKED PRINTING WITH UNLOCK VIA A KEYPAD, filed Apr. 20, 2007; and U.S. patent application Ser. No. 11/880,359 entitled APPROACH FOR PROCESSING PRINT JOBS ON PRINTING DEVICES, filed Jul. 20, 2007, the contents all of which are incorporated by reference in their entirety for all purposes as if fully set forth herein.

FIELD OF THE INVENTION

This invention relates generally to printing of electronic documents.

BACKGROUND

The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, the approaches described in this section may not be prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.

The proliferation of communications networks, and in particular the Internet, has raised growing concerns about the security of information transmitted over networks. Numerous protection schemes have been implemented to secure electronic documents transmitted over the Internet, ranging from simple passwords to strong encryption. Some printing devices are configured with a feature known as “locked printing” to provide control over the printing of electronic documents. When a printing device is configured with a locked printing feature and print data is sent to the printing device, a printed version of an electronic document reflected in the print data is not generated until a password is verified at the printing device. Typically a user enters a password through an operation panel on the printing device. The printing device verifies the password and if the password is successfully verified, allows the user to access and print stored print data.

In addition to locked printing, some electronic documents are also password protected. For example, when a user creates an electronic document using an application program, the user may protect the electronic document using a password. The print data is encrypted based upon the password and transmitted to the printing device. After accessing locked print jobs and selecting particular print data, the user is queried for the password associated with the particular print data. If the user enters the correct password, the print data is processed and the electronic document contained in the print data is printed.

Policy-based solutions have also been developed that allow business organizations to control access to electronic documents. An electronic document for which the access thereto is controlled using a policy is referred to hereinafter as “policy-enabled document.” A policy defines the conditions under which a user is granted access to an electronic document. For example, a policy might specify that particular users are allowed access to the electronic document. Alternatively, the policy might specify that all users on a particular project, or all users at a specified level or higher within a business organization, may access the electronic document.

When a user attempts to open the electronic document through an application, the application prompts the user for user credentials, typically in the form of a user ID and password. The user credentials are authenticated to verify the user. Then, the credentials are provided to a policy server along with data that identifies the electronic document that the user is attempting to access. The policy server retrieves a policy associated with the electronic document and then determines, based upon the policy, whether the user should be allowed to access the electronic document. The policy server returns data to the application that indicates whether the user is allowed to access the electronic document. The application selectively allows the user access to the electronic document based upon the data provided by the policy server.

One of the main benefits of the policy-based approach is that the access rights for any number of electronic documents may be changed by changing single policy, without having to change each of the electronic documents. For example, a business organization may change a single policy for a product that may affect access to a hundreds or even thousands of electronic documents.

One of the issues with password protecting documents is that printing devices must be capable of processing the protected print data into a form so that the electronic document can be printed. For example, the printing device may decrypt encrypted print data to recover original print data that can be processed. The processing required to successfully process a protected document varies depending upon the application that was used to protect the electronic document. For example, a word processing application may use one type of encryption while a spreadsheet application may use a different type of encryption. The printing device must be capable of using both types of decryption. Furthermore, the type or version of encryption used by an application program may change over time. Thus, in some situations a printing device must support multiple types of encryption and multiple versions of each type of encryption.

SUMMARY

An approach is provided for processing print data at a printing device. A printing device includes a user interface and a locked print module. The user interface is configured to display information to users and receive user input from the users. The locked print module is configured to examine print data received by the printing device and determine whether the print data should be processed as locked print data. This may include determining whether the print data includes any password commands. If a determination is made that the print data is to be processed as locked print data, then the print data is stored on the printing device and not immediately processed for printing. The locked print module is further configured to authenticate a user via the user interface and upon successful authentication of the user, allow the user to request printing of the print data via the user interface. In response to detecting a user request to print the print data, the user is queried for a password associated with the print data. If the password received from the user via the user interface matches the password associated with the print data, then the locked print module determines a password type of the password associated with the print data and identifies password control data stored on the printing device that corresponds to the password type and indicates how print data associated with the password type is to be processed. The locked print module processes the print data based upon the password control data to generate processed print data and causes the processed print data to be printed at the printing device.

BRIEF DESCRIPTION OF THE DRAWINGS

In the figures of the accompanying drawings like reference numerals refer to similar elements.

FIG. 1 is a block diagram that depicts an arrangement for processing print data using password control data according to an embodiment of the invention.

FIG. 2A is a block diagram that depicts an example implementation of locked print module, according to one embodiment of the invention.

FIG. 2B depicts example password control data, according to one embodiment of the invention.

FIG. 2C depicts an example implementation of a password control block, according to one embodiment of the invention

FIG. 3A is a flow diagram that depicts an approach for processing print data using password control data, according to one embodiment of the invention.

FIG. 3B is a flow diagram that depicts determining whether print data should be processed as locked print data, according to one embodiment of the invention.

FIG. 4 is a block diagram that depicts an example implementation of a printing device configured to support processing of print data using password control data, according to one embodiment of the invention.

FIG. 5 is a block diagram of a computer system on which embodiments of the invention may be implemented.

DETAILED DESCRIPTION

In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to avoid unnecessarily obscuring the present invention. Various aspects of the invention are described hereinafter in the following sections:

-   -   I. OVERVIEW     -   II. ARCHITECTURE FOR PROCESSING PRINT DATA USING PASSWORD         CONTROL DATA     -   III. PASSWORD CONTROL DATA     -   IV. PROCESSING PRINT DATA USING PASSWORD CONTROL DATA     -   V. IMPLEMENTATION MECHANISMS         I. Overview

An approach is provided for processing print data at a printing device. A printing device includes a user interface and a locked print module. The user interface is configured to display information to users and receive user input from the users. The locked print module is configured to examine print data received by the printing device and determine whether the print data should be processed as locked print data. This may include determining whether the print data includes any password commands. If a determination is made that the print data is to be processed as locked print data, then the print data is stored on the printing device and not immediately processed for printing. The locked print module is further configured to authenticate a user via the user interface and upon successful authentication of the user, allow the user to request printing of the print data via the user interface. In response to detecting a user request to print the print data, the user is queried for a password associated with the print data. If the password received from the user via the user interface matches the password associated with the print data, then the locked print module determines a password type of the password associated with the print data and identifies password control data stored on the printing device that corresponds to the password type and indicates how print data associated with the password type is to be processed. The locked print module processes the print data based upon the password control data to generate processed print data and causes the processed print data to be printed at the printing device.

This approach allows print data to be printed remotely but manages the print data on printing devices as locked print data to provide improved control. The use of password control data provides support for multiple types of passwords, including legacy and new password types and password hierarchies. Furthermore, the approach is compatible with existing locked printing solutions.

II. Architecture for Processing Print Data Using Password Control Data

FIG. 1 is a block diagram that depicts an arrangement 100 for processing print data using password control data according to an embodiment of the invention. Arrangement 100 includes a printing device 102, a client device 104, a policy server 106 and an authentication server 108, communicatively coupled via a network 110.

Printing device 102 may be implemented by any type of device that is capable of processing print data and generating printed versions of electronic documents reflected in the print data. In example arrangement 100, printing device 102 includes a user interface 116, a print process 118, a locked print module 120 and storage 122. Printing device 102 may be configured with other mechanisms, processes and functionality, depending upon a particular implementation, and the approach described herein for printing policy-enabled documents on a printing device using locked printing is not limited to any particular type of printing device 102. For example, printing device 102 may be a multi-function peripheral (MFP) that includes any combination of printing, copying, facsimile and scanning capability, etc.

User interface 116 may be any mechanism and/or medium that provides for the exchange of information between a user and printing device 102. Examples of user interface 116 include, without limitation, a control panel with a display and keypad or keyboard, a cathode ray tube (CRT), a liquid crystal display (LCD), a keyboard, touchpad, mouse, trackball, a microphone and speakers, and any combination thereof. Printing device 102 may be configured to display information on user interface 116 in any number of languages, depending upon a particular implementation. As with conventional printing devices, the user interface 116 on printing device 102 may provide limited capability to easily enter alphanumeric strings.

Print process 118 may be implemented by one or more processes for processing print data received from client device 104 and for generating a printed version of an electronic document reflected in the print data. Print process 118 and locked print module 120 may be implemented as resident processes on printing device 102. Alternatively, print process 118 and locked print module 120 may be made available to printing device 102 on a removable media or may be implemented at a remote location with respect to printing device 102. Locked print module may be implemented by one or more processes for providing locked print services on printing device 102.

FIG. 2A is a block diagram that depicts an example implementation of locked print module 120, according to one embodiment of the invention. In this example, locked print module 120 includes a job capture and store module 200, a user interface and PSM client module 202 and a Web configuration module 204. Job capture and store module 200 determines whether print data received by printing device 102 is designated as a locked print job. This may include examining the contents of the print data and/or a header associated with the print data to detect the presence of data that indicates that the print data is a locked print job. If print data received by printing device 102 is not designated as a locked print job, then the print data is processed in the order in which it was received. If print data received by printing device 102 is designated as a locked print job, then job capture and store module 200 causes the print data to be stored on storage 122 instead of being immediately processed for printing. To print an electronic document that has been designated for locked print, a user enters user credentials, e.g., a user ID and password, into user interface 116. The locked print module 120 authenticates the user ID and password, either locally or remotely, and if successful, displays a list of locked print jobs associated with that user that are stored on storage 122. The user may select one or more of the locked print jobs for printing and the locked print module 120 causes the selected print jobs to be processed.

User interface and PSM client module 202 causes information to be displayed to a user on user interface 116 and also processes user input received via the user interface 116. The user interface and PSM client module 202 also communicates with the policy server 106 to determine whether a user is authorized by a policy to print a particular electronic document, as described in more detail hereinafter. Web configuration module 204 allows a user, such as an administrator, to configure locked print parameters. For example, the Web configuration module 204 may provide a Web-based user interface for an administrator.

Storage 122 may be implemented by any type of storage, including volatile storage, non-volatile storage, or any combination of volatile and non-volatile storage. Examples of storage 122 include, without limitation, random access memory (RAM) and one or more disks. In the present example, storage 122 includes print data 124 and password control data 126. The password control data 126 is used by the locked print module 120 to process print data as described in more detail hereinafter.

User interface 116, print process 118, locked print module 120 and storage 122 may be implemented in hardware, software, or any combination of hardware or software, depending upon a particular implementation.

Client device 104 may be implemented by any type of client device. Example implementations of client device 104 include, without limitation, workstations, personal computers, laptop computers, personal digital assistants (PDAs), cellular telephony devices and any type of mobile devices. In the example arrangement depicted in FIG. 1, client device 104 is configured with an application 112 and a print driver 114. Application 112 may be any type of application process. Examples of application 112 include, without limitation, a word processor, a spreadsheet program and an email client. Print driver 114 is configured to provide a user interface for a user to specify that locked printing is to be used to print particular print data. Print driver 114 is also configured to process data from application 112 and generate print data that is provided to printing device 102 for processing. Thus, application 112 and print driver 114 operate together to generate and provide print data to printing device 102. Client device 104 may be configured with other mechanisms, processes and functionality, depending upon a particular implementation.

Policy server 106 is an entity that is capable of determining, based upon a policy, whether a user is authorized to print an electronic document. For example, given a user ID, password and identification of an electronic document, policy server 106 is able to determine whether, based upon a policy, the user is authorized to print the electronic document. Authentication server 108 is an entity that is capable of authenticating a user. For example, authentication server 108 may be configured to determine whether a user ID and password pair match any of a set of User ID and password pairs stored on authentication server 108 and provide a message or other corresponding indication.

Network 110 may be implemented by any type of medium and/or mechanism (wired or wireless) that facilitates the exchange of information between client device 104, printing device 102 and client device 104. Furthermore, network 110 may use any type of communications protocol and may be secured or unsecured, depending upon the requirements of a particular application.

III. Password Control Data

Password control data 126 may be generated and maintained using a wide variety of techniques, depending upon a particular implementation. For example, password control data 126 may be generated and maintained using a password control data management application that may reside on the printing device 102. An administrator uses the password control data management application to generate, edit and delete password control data. For example, when a new application is introduced, a password control block may be generated for the new application. As another example, new password control blocks for a particular password may be appended to existing password control blocks for the particular password.

FIG. 2B depicts example password control data 250, according to one embodiment of the invention. In this example, password control data 250 includes a set of password control blocks that include password control block 1 252, password control block 2 254 through password control block N 256. Each password control block is associated with a password type and is used by the locked print module 120 to process associated print data. The password control blocks may be maintained in any format or data structure, depending upon a particular implementation. For example, the password control blocks may be maintained as a link list. FIG. 2C depicts an example implementation of a password control block, according to one embodiment of the invention. In this example implementation, a password control block includes a password type 258, a size 260, an encryption type 262, a priority 264 and a status 266. The password type 258 indicates the type of password and may also indicate the type of application that generated the password. The size 260 field indicates the size, e.g., number of bytes, of the password or encoding data used to encrypt or encode the print data. The encryption type 262 indicates the type of encryption or encoding used to encrypt or encode the print data. The priority 264 indicates an access level of the password for the user's access rights. The status 266 indicates the status of the password, e.g., whether the password is an old password, a modified password, a new password or a removed password.

IV. Processing Print Data Using Password Control Data

FIG. 3A is a flow diagram 300 that depicts an approach for processing print data using password control data, according to one embodiment of the invention. In step 302, a user initiates printing of a policy-enabled document. For example, a user of client device 104 initiates printing of an electronic document via application 112. The electronic document may have been designated, for example via application 112, as a policy-enabled document at the time of creation or at a later time.

In step 304, print data is generated by print driver 114 and the print data indicates that the electronic document reflected in the print data is a policy-enabled document. For example, the print data, or a header associated with the print data, may include one or more Print Job Language (PJL) or Page Descriptor Language (PDL) commands that specify that the electronic document is a policy-enabled document.

In step 306, the client device 104 transmits the print data to the printing device 102 over network 110. To cause the print data to be processed by locked print module 120, the print data may be transmitted to a particular port. For example, the printing data may be transmitted to a particular Transport Control Protocol (TCP) port, such as port 9100 or 515 as two possible examples, to cause locked print module 120 to receive and process the print data. Alternatively, the print data may simply be sent to the printing device 102 and an operating system routine or other routine forwards the print data to locked print module 120 for processing.

In step 308, at the printing device, a determination is made whether the print data should be processed as locked print data. According to one embodiment of the invention, the locked print module 120 examines the print data to determine whether the print data electronic document reflected in the print data is a policy-enabled electronic document. This may be determined, for example, by the presence of one or more password commands or codes in the print data. The password codes may be contained in a header portion of the print data, in the body portion of the print data, or any combination of a header portion and body portion of the print data. For example, in some implementations, the application that generates the print data in conjunction with a print driver may create a header that is appended to the print data and the header contains one or more password commands. For example, the print data may include an APSPASSWORD command indicating that the electronic document contained in the print data is a policy-enabled electronic document. As another example, the print data may include a PDFPASSWORD command indicating that the electronic document contained in the print data is a password protected PDF document. As yet another example, the print data may include a password command indicating that the electronic document contained in the print data is a locked print document protected by a password.

In step 310, if a determination is made that the print data is to be processed as locked print data, then the print data is stored on the printing device and not immediately processed for printing. According to one embodiment of the invention, the print data is stored on storage 122 and managed as locked print data. If the print data is not to be processed as a locked print data, then the print data is processed normally.

FIG. 3B is a flow diagram 350 that depicts an example implementation of steps 308, 310 in more detail. In step 352 print data is evaluated to identify secure data information. In step 354 a determination is made whether the print data includes an APSPASSWORD command. If so, then in step 356, a determination is made whether the print data includes an APSUSERNAME command. If so, then as indicated by step 358, the electronic document contained in the print data is a policy-enabled document. In step 360, the print data is processed as locked print data and is stored on storage 122 and not immediately processed.

Returning to step 354, if the print data does not contain an APSPASSWORD command, then in step 362, a determination is made whether the print data contains a PDFPASSWORD command. If so, then as indicated in step 364, the electronic document contained in the print data is a PDF password protected document. In step 360, the print data is processed as locked print data and is stored on storage 122 and not immediately processed.

If, in step 362 a determination is made that the print data does not contain a PDFPASSWORD command, then in step 366, a determination is made whether the print data contains a secure job command. One example of a secure job command is a command that indicates locked printing. If so, then the secure job command is evaluated to determine whether it matches any known command types. For example, in step 368 a determination is made whether the secure job command is a JOBPASSWORD3 command. In step 370 a determination is made whether the secure job command is a JOBPASSWORD2 command. In step 372, a determination is made whether the secure job command is a JOBPASSWORD1 command. If the secure job command is any of these types of commands, then as indicated in step 378, the print data represents a locked print job and in step 380 the print data is stored on storage 122 and not immediately processed. In this example, the JOBPASSWORD1 may represent an original locked print password, JOBPASSWORD2 may represent an updated locked print password and JOBPASSWORD3 a new locked print password. The password control data 250 may be used to determine whether the print data should be processed as locked print data.

If, in step 356 the print data does not include an APSUSERNAME command, or if in step 366 the print data does not include a secure job command, then as indicated in step 374, the data is processed as a normal print job and in step 376 is either printed or aborted.

Returning to FIG. 3A, in step 312, a user requests access to locked print jobs stored on the printing device and is authenticated. For example, a user may select a locked print jobs button or icon on user interface 116 to request access to locked print jobs stored on printing device 102. Then the user is queried for user credential data, such as a user ID and password. The user credential data is authenticated. For example, locked print module 120 may be configured to authenticate the user credential data based upon data stored locally on storage 122. This may include, for example, comparing a user ID and password pair specified in the user credential data to a list of verified user ID/password pairs. As another example, a one-way hash function may be used to generate a result based upon the user ID/password pair specified in the authentication data. The result may then be compared to a list of verified results. These are just two examples of how authentication of the user credential data may be performed and the invention is not limited to any particular authentication mechanism or approach. Instead of authenticating the user credential data locally on printing device 102, the user credential data may be authenticated remotely with respect to printing device 102. For example, locked print module 120 may cause the user credential data to be transmitted to another location, e.g., authentication server 108 over network 110, for authentication. Locked print module 120 receives a return indication from the other location indicating whether the authentication data was verified.

If the user is successfully authenticated, then in step 314, the user is given access to the locked print data. For example, a list of locked print jobs associated with the user may be displayed on the user interface 116. Print data may be arranged on the user interface 116, for example, sorted by name or in an order in which the print data was received by printing device 102. The graphical user interface may also include one or more user interface objects that allow a user to select one or more print data to be processed at printing device 102 and one or more actions to be performed on those print data. For example, a user may select a user interface object associated with particular print data and then select a user interface object associated with a printing or deleting function to cause the particular print data to be processed accordingly. Users may be given different types of access to locked print data, depending upon a particular implementation. For example, users may be given access to only the print data that they generated. As another example, users may be given access to all locked print data associated with a logical group, such as a department, project, team, etc. As yet another example, an administrative user may be given access to all locked print data on a printing device so that the administrative user can properly manage the printing device. Access may be based upon the user credential data or other data stored on printing device 102.

In step 316, the user selects print data to be processed and one or more actions to be performed on the print data. In the present example, the user selects print data for printing.

In step 318, steps are performed to allow the selected print data to be processed. This may include various steps, depending upon the particular print data being processed. For example, suppose that the electronic document contained in the selected print data is a PDF password protected or a locked print document. In this situation, the user is queried for a password via the user interface 116. The password entered by the user is compared to a password for the protected document. If the passwords match, then the print data is allowed to be processed. As another example, if the electronic document contained in the print data is determined to be a policy-enabled document, then the locked print module 120 consults with policy server 106 to determine whether the user is authorized to make this determination. This may include, for example, the locked print module 120 transmitting to policy server 106 data that identifies the policy-enabled electronic document selected for printing by the user, along with at least part of the user credential information, for example a user ID. According to one embodiment of the invention, the user interface and PSM client module 202 acts as a policy client with respect to the policy server 106 and provides the interaction with the policy server 106. The policy server 106 determines, based upon one or more policies, whether the user associated with the user ID is authorized to access the policy-enabled electronic document. The policy applied to make this determination may be specific to the printing of electronic documents, i.e., a print-specific policy, or may be a more general policy applied to any type of access to electronic documents. For example, a particular user may be authorized to have read-only access to a particular electronic document, but not print access.

The policy server 106 then returns to the locked print module 120 data that indicates whether the user associated with the user ID is authorized to access the policy-enabled electronic document. The locked print module 120 may also provide the full user credential data to policy server 106 to allow the policy server 106 to perform authentication in conjunction with authentication server 108.

Additional authentication may also be performed in conjunction with applying the policy. For example, when a user selects to print a policy-enabled electronic document, the user may be queried for additional user credential data, such as a user ID and password, that are used by the policy server 106 to provide additional authentication of the user. Although policy server 106 is depicted in the figures and described herein as being a separate entity from the printing device 102, the functionality provided by policy server 106 may be implemented locally on printing device 102. For example, printing device 102 may be configured with a policy process that makes the determination whether a user is authorized to access a particular policy-enabled electronic document.

In step 320, the print data is printed if the user is allowed to print the print data. This may include decrypting the print data using a decryption key received from policy server 106, or another source. According to one embodiment of the invention, the password control data 250 is used to decrypt the print data to generated decrypted print data. For example, suppose that the print data includes a JOBPASSWORD2 command. The locked print module 120 accesses the password control block in password control data 250 that corresponds to the JOBPASSWORD2 command to determine how to decrypt the print data. This may include traversing a linked list of password control blocks to locate a particular password control block that corresponds to the password command. The decrypted print data is then printed. Once successfully printed, the print data may be deleted from storage 122 or retained for further processing. If the user is not allowed to print the print data, then other action may be taken. For example, a message may be displayed on the user interface 116 of printing device 102 to inform the user that the user is not authorized to print the print data.

FIG. 4 is a block diagram that depicts an example implementation of a printing device 400 configured to support processing of print data using password control data, according to one embodiment of the invention. Printing device 400 includes a network module 402 for receiving print jobs over a communications link. Network module 402 includes a print daemon module 404. Received print jobs are processed by a print application 406. A locked print job capture module 408 processes print jobs and determines whether the print jobs are normal print jobs, locked print jobs, or policy-enabled print jobs. Locked print job capture module 408 may make this determination, for example, by examining the headers of received print jobs and determining whether the headers contain commands that indicate the type of print job. Locked print job capture module 408 is configured to cause locked print jobs to be stored on storage 410, that may be any type of volatile storage, non-volatile storage, or combination of volatile and non-volatile storage. A PDF2PS module 412 is configured to convert print jobs between PDF and postscript formats and accesses a shared memory 414. A locked print UI module and PSM client 416 provides UI functionality and also interacts as a policy server client with a policy server. The locked print UI module and PSM client 416 also has a local connection to the print daemon module 404. A Web configuration module 418 allows a user, such as an administrator, to configure locked print functionality on printing device 400. Thus, in the example depicted in FIG. 4, a locked print application includes the locked print job capture module 408, the locked print UI module and PSM client 416 and the Web configuration module 418.

V. Implementation Mechanisms

The approach described herein for processing print data using password control data may be implemented using Web Services. For example, printing device 102 may be a Web Services enabled device and support discovery, metadata exchange and event processing functionality.

The approach described herein for printing print data using password control data may be implemented on any type of computing platform or architecture. For purposes of explanation, FIG. 5 is a block diagram that depicts an example computer system 500 upon which embodiments of the invention may be implemented. Computer system 500 includes a bus 502 or other communication mechanism for communicating information, and a processor 504 coupled with bus 502 for processing information. Computer system 500 also includes a main memory 506, such as a random access memory (RAM) or other dynamic storage device, coupled to bus 502 for storing information and instructions to be executed by processor 504. Main memory 506 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 504. Computer system 500 further includes a read only memory (ROM) 508 or other static storage device coupled to bus 502 for storing static information and instructions for processor 504. A storage device 510, such as a magnetic disk or optical disk, is provided and coupled to bus 502 for storing information and instructions.

Computer system 500 may be coupled via bus 502 to a display 512, such as a cathode ray tube (CRT), for displaying information to a computer user. An input device 514, including alphanumeric and other keys, is coupled to bus 502 for communicating information and command selections to processor 504. Another type of user input device is cursor control 516, such as a mouse, a trackball, or cursor direction keys for communicating direction information and command selections to processor 504 and for controlling cursor movement on display 512. This input device typically has two degrees of freedom in two axes, a first axis (e.g., x) and a second axis (e.g., y), that allows the device to specify positions in a plane.

The invention is related to the use of computer system 500 for implementing the techniques described herein. According to one embodiment of the invention, those techniques are performed by computer system 500 in response to processor 504 executing one or more sequences of one or more instructions contained in main memory 506. Such instructions may be read into main memory 506 from another computer-readable medium, such as storage device 510. Execution of the sequences of instructions contained in main memory 506 causes processor 504 to perform the process steps described herein. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions to implement the invention. Thus, embodiments of the invention are not limited to any specific combination of hardware circuitry and software.

The term “computer-readable medium” as used herein refers to any medium that participates in providing data that causes a computer to operation in a specific manner. In an embodiment implemented using computer system 500, various computer-readable media are involved, for example, in providing instructions to processor 504 for execution. Such a medium may take many forms, including but not limited to, non-volatile media and volatile media. Non-volatile media includes, for example, optical or magnetic disks, such as storage device 510. Volatile media includes dynamic memory, such as main memory 506. Common forms of computer-readable media include, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, or any other magnetic medium, a CD-ROM, any other optical medium, a RAM, a PROM, and EPROM, a FLASH-EPROM, any other memory chip or memory cartridge, or any other medium from which a computer can read.

Various forms of computer-readable media may be involved in carrying one or more sequences of one or more instructions to processor 504 for execution. For example, the instructions may initially be carried on a magnetic disk of a remote computer. The remote computer can load the instructions into its dynamic memory and send the instructions over a telephone line using a modem. A modem local to computer system 500 can receive the data on the telephone line and use an infra-red transmitter to convert the data to an infra-red signal. An infra-red detector can receive the data carried in the infra-red signal and appropriate circuitry can place the data on bus 502. Bus 502 carries the data to main memory 506, from which processor 504 retrieves and executes the instructions. The instructions received by main memory 506 may optionally be stored on storage device 510 either before or after execution by processor 504.

Computer system 500 also includes a communication interface 518 coupled to bus 502. Communication interface 518 provides a two-way data communication coupling to a network link 520 that is connected to a local network 522. For example, communication interface 518 may be an integrated services digital network (ISDN) card or a modem to provide a data communication connection to a corresponding type of telephone line. As another example, communication interface 518 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN. Wireless links may also be implemented. In any such implementation, communication interface 518 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.

Network link 520 typically provides data communication through one or more networks to other data devices. For example, network link 520 may provide a connection through local network 522 to a host computer 524 or to data equipment operated by an Internet Service Provider (ISP) 526. ISP 526 in turn provides data communication services through the world wide packet data communication network now commonly referred to as the “Internet” 528. Local network 522 and Internet 528 both use electrical, electromagnetic or optical signals that carry digital data streams.

Computer system 500 can send messages and receive data, including program code, through the network(s), network link 520 and communication interface 518. In the Internet example, a server 530 might transmit a requested code for an application program through Internet 528, ISP 526, local network 522 and communication interface 518. The received code may be executed by processor 504 as it is received, and/or stored in storage device 510, or other non-volatile storage for later execution.

In the foregoing specification, embodiments of the invention have been described with reference to numerous specific details that may vary from implementation to implementation. Thus, the sole and exclusive indicator of what is, and is intended by the applicants to be, the invention is the set of claims that issue from this application, in the specific form in which such claims issue, including any subsequent correction. Hence, no limitation, element, property, feature, advantage or attribute that is not expressly recited in a claim should limit the scope of such claim in any way. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense. 

What is claimed is:
 1. A printing device comprising: a user interface configured to display information to users and receive user input from the users; and a locked print module configured to: examine print data received by the printing device and determine whether the print data should be processed as locked print data based upon whether the print data includes one or more password commands that indicate that an electronic document represented in the print data is a policy-enabled electronic document, a PDF password protected document or a locked print document, in response to determining that the print data should be processed as locked print data based upon the print data including one or more password commands that indicate that an electronic document represented in the print data is a policy-enabled electronic document, a PDF password protected document or a locked print document, then cause the print data to be stored at the printing device instead of being processed for printing, authenticate a user via the user interface and upon successful authentication of the user, allow the user to request, via the user interface, printing of the print data, in response to detecting a user request to print the print data, querying the user via the user interface for a password for the print data, if the password received from the user via the user interface matches the password for the print data, then determining one or more password command types of the one or more password commands that are contained in the print data and that indicate that an electronic document represented in the print data is a policy-enabled electronic document, a PDF password protected document or a locked print document, processing the print data based upon the one or more password command types of the one or more password commands that are contained in the print data and that indicate that an electronic document represented in the print data is a policy-enabled electronic document, a PDF password protected document or a locked print document, and causing the processed print data to be printed at the printing device.
 2. The printing device as recited in claim 1, wherein the locked print module is further configured to in response to determining that the one or more password command types indicate that the electronic document represented in the print data is a policy-enabled electronic document, obtaining from a policy server data that indicates whether the user is authorized to access the electronic document.
 3. The printing device as recited in claim 1, wherein the locked print module is further configured to: identify password control data stored on the printing device that corresponds to the one or more password types and that indicates how print data associated with the one or more password types is to be processed, and process the print data based upon the one or more password command types of the one or more password commands that are contained in the print data and that indicate that an electronic document represented in the print data is a policy-enabled electronic document, a PDF password protected document or a locked print document includes processing the print data based upon the password control data to generate processed print data.
 4. The printing device as recited in claim 3, wherein: the password control data indicates how the print data is to be decrypted, and processing the print data based upon the password control data to generate processed print data includes decrypting the print data to generate decrypted print data.
 5. The printing device as recited in claim 3, wherein the printing device is configured to update the password control data with new password control data that indicates how print data associated with a new password type is to be processed.
 6. The printing device as recited in claim 1, further comprising a print process configured to process print data and cause a printed version of an electronic document contained in the print data to be generated by the printing device.
 7. A computer-implemented method for processing print data at a printing device, the computer-implemented method comprising: displaying information to users and receiving user input from the users; examining print data received by the printing device and determine whether the print data should be processed as locked print data based upon whether the print data includes one or more password commands that indicate that an electronic document represented in the print data is a policy-enabled electronic document, a PDF password protected document or a locked print document; in response to determining that the print data should be processed as locked print data based upon the print data including one or more password commands that indicate that an electronic document represented in the print data is a policy-enabled electronic document, a PDF password protected document or a locked print document, then causing the print data to be stored at the printing device instead of being processed for printing; authenticating a user via the user interface and upon successful authentication of the user, allowing the user to request, via the user interface, printing of the print data; in response to detecting a user request to print the print data, querying the user via the user interface for a password for the print data; and if the password received from the user via the user interface matches the password for the print data, then determining one or more password command types of the one or more password commands that are contained in the print data and that indicate that an electronic document represented in the print data is a policy-enabled electronic document, processing the print data based upon the one or more password command types of the one or more password commands that are contained in the print data and that indicate that an electronic document represented in the print data is a policy-enabled electronic document, a PDF password protected document or a locked print document, and causing the processed print data to be printed at the printing device.
 8. The computer-implemented method as recited in claim 7, further comprising in response to determining that the one or more password command types indicate that the electronic document represented in the print data is a policy-enabled electronic document, obtaining from a policy server data that indicates whether the user is authorized to access the electronic document.
 9. The computer-implemented method as recited in claim 7, further comprising: identifying password control data stored on the printing device that corresponds to the one or more password types and that indicates how print data associated with the one or more password types is to be processed, and processing the print data based upon the one or more password command types of the one or more password commands that are contained in the print data and that indicate that an electronic document represented in the print data is a policy-enabled electronic document, a PDF password protected document or a locked print document includes processing the print data based upon the password control data to generate processed print data.
 10. The computer-implemented method as recited in claim 9, wherein: the password control data indicates how the print data is to be decrypted, and the computer-implemented method further comprises decrypting the print data to generate decrypted print data.
 11. The computer-implemented method as recited in claim 9, further comprising updating the password control data with new password control data that indicates how print data associated with a new password type is to be processed.
 12. The computer-implemented method as recited in claim 7, further comprising processing print data and causing a printed version of an electronic document contained in the print data to be generated by the printing device.
 13. A non-transitory computer-readable medium for processing print data at a printing device, the non-transitory computer-readable medium storing instructions, the execution of the instructions by one or more processors causing: displaying information to users and receiving user input from the users; examining print data received by the printing device and determine whether the print data should be processed as locked print data based upon whether the print data includes one or more password commands that indicate that an electronic document represented in the print data is a policy-enabled electronic document, a PDF password protected document or a locked print document; in response to determining that the print data should be processed as locked print data based upon the print data including one or more password commands that indicate that an electronic document represented in the print data is a policy-enabled electronic document, a PDF password protected document or a locked print document, then causing the print data to be stored at the printing device instead of being processed for printing; authenticating a user via the user interface and upon successful authentication of the user, allowing the user to request, via the user interface, printing of the print data; in response to detecting a user request to print the print data, querying the user via the user interface for a password for the print data; and if the password received from the user via the user interface matches the password for the print data, then determining one or more password command types of the one or more password commands that are contained in the print data and that indicate that an electronic document represented in the print data is a policy-enabled electronic document, a PDF password protected document or a locked print document, processing the print data based upon the one or more password command types of the one or more password commands that are contained in the print data and that indicate that an electronic document represented in the print data is a policy-enabled electronic document, a PDF password protected document or a locked print document, and causing the processed print data to be printed at the printing device.
 14. The non-transitory computer-readable medium as recited in claim 13, further comprising additional instructions which, when processed by the one or more processors, causes in response to determining that the one or more password command types indicate that the electronic document represented in the print data is a policy-enabled electronic document, obtaining from a policy server data that indicates whether the user is authorized to access the electronic document.
 15. The non-transitory computer-readable medium as recited in claim 13, further comprising additional instructions which, when processed by the one or more processors, causes: identifying password control data stored on the printing device that corresponds to the one or more password types and that indicates how print data associated with the one or more password types is to be processed, and processing the print data based upon the one or more password command types of the one or more password commands that are contained in the print data and that indicate that an electronic document represented in the print data is a policy-enabled electronic document, a PDF password protected document or a locked print document includes processing the print data based upon the password control data to generate processed print data, determining whether the print data includes one or more password commands that indicate that an electronic document contained in the print data is a policy-enabled electronic document, a PDF password protected document or a locked print document.
 16. The non-transitory computer-readable medium as recited in claim 15, wherein: the password control data indicates how the print data is to be decrypted, and the computer-readable medium further comprises additional instructions which, when processed by the one or more processors, causes decrypting the print data to generate decrypted print data.
 17. The non-transitory computer-readable medium as recited in claim 15, further comprising additional instructions which, when processed by the one or more processors, causes updating the password control data with new password control data that indicates how print data associated with a new password type is to be processed.
 18. The non-transitory computer-readable medium as recited in claim 13, further comprising additional instructions which, when processed by the one or more processors, causes processing print data and causing a printed version of an electronic document contained in the print data to be generated by the printing device. 